What Happened
Palo Alto Networks PAN-OS GlobalProtect is under active attack. CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog and set a federal agency remediation deadline of June 1, 2026. The vulnerability is an authentication bypass affecting PAN-OS firewalls where GlobalProtect portal or gateway is configured with authentication override cookies enabled and a specific certificate configuration.
Rapid7 documented the earliest confirmed exploitation on May 17, 2026. Two distinct attack waves followed: the first launched from infrastructure hosted by Vultr beginning May 18, the second from Dromatics Systems infrastructure starting May 21. The flaw allows an unauthenticated remote attacker to bypass authentication controls and establish an unauthorized VPN connection to the target network. Palo Alto Networks confirmed active exploitation in an updated advisory and has patches available for all affected PAN-OS versions. Help Net Security
Why This Matters for Canadian Organizations
Palo Alto Networks firewalls and GlobalProtect VPN are pervasive across Canadian enterprise, government, financial services, healthcare, and critical infrastructure environments. GlobalProtect is frequently the primary remote access control for employees, contractors, and third-party vendors. An authentication bypass at this layer does not require attackers to defeat multi-factor authentication or steal credentials — it removes the authentication requirement entirely for affected configurations.
Canadian organizations operating under OSFI B-13 technology and cyber risk guidelines face an explicit obligation to maintain patching processes for internet-facing systems. A perimeter control that allows unauthenticated network access represents a direct failure of that obligation. Under PIPEDA, unauthorized access to internal networks through a compromised VPN gateway triggers breach assessment and potential notification obligations if personal information was reachable. For organizations aligning with Bill C-26 Critical Cyber Systems Protection Act obligations, perimeter firewall integrity is a foundational control. The CCCS has not issued a specific advisory for CVE-2026-0257 at time of writing, but the CISA KEV designation and active exploitation confirmation represent the same threshold Canadian security teams should treat as requiring immediate action.
What to Do
Check your PAN-OS version and apply the patches released by Palo Alto Networks immediately. As an interim step, Palo Alto Networks recommends disabling authentication override cookies if they are not required, or applying the Threat Prevention signature ID 510019 if your organization has a Threat Prevention subscription. Review GlobalProtect logs for any unauthorized connections or authentication anomalies since May 17, particularly from Vultr or Dromatics Systems IP ranges. Assess whether any internal resources were accessible to connections established through the portal or gateway during the exposure window. Palo Alto Networks’ advisory at security.paloaltonetworks.com/CVE-2026-0257 contains full affected version lists and patch guidance.
